hi every one
I am new to Java and I am working with the Normalize class.
I am trying to normalize Unicode to check for XSS. If I pass the input string to a method and normalize that string inside the method it does not work. but If I define the string inside the method (hardcode) the value on the string variable) and pass it to the normalize function it will work.
// This dont work it return the same string i entered.
//This works. I converts the unicode to "<"
thank you in advance for the help
Neither of those code fragments "work" because they won't even compile. How about if you show us a complete example? (See the page at SSCCE to see what that means.)
Joined: Mar 14, 2012
I am sorry for the code. this is my frst time.
here its what i am trying to do
The input I get back from the JSP page its "\uFE64" and this is the value that get passed to this method and after its normalize its still prints "uFE64" where in the previous piece of code it prints "<"
It seems that you are claiming that passing a string as a parameter to a method works differently than using the same string as a local variable in that method, although you haven't really posted an example of that claim. But obviously that isn't the case. So your problem must be that the string you are passing as the parameter is not the same as the string you are hard-coding as the local variable.
At any rate an explanation of a problem normally tells the reader what was input, what was output, and what was expected to be output instead. You haven't really provided any of those things; it would help if you did.
Doel Durieux wrote: The input I get back from the JSP page its "\uFE64" and this is the value that get passed to this method and after its normalize its still prints "uFE64" where in the previous piece of code it prints "<"
Aha, sorry, you must have been editing as I was typing my last reply. So disregard what I typed there, this is much better information.
When you use code like this:
that's called a "Unicode escape". When the Java compiler sees that literal in your source code, it interprets it as a single Unicode character. In this case it's the character U+FE64. Now that's the Java compiler doing that, remember.
When you type "\uFE64" somewhere else, in an HTML form which is sent to your web application for example, the Java compiler is not involved. So that string is treated as the 6 characters that you see there and it's not converted to a single Unicode character. That's the difference.
Joined: Mar 14, 2012
Thank ofr the replay I understand now.
So if some one its trying to input malicious code using Unicode instead of "<" ">" there its no need to normalize the input string before validating the string to make sure there its no malicious code???
I have no idea. From the little bit of what I found by googling "xss unicode normalization" it seems that most of the concern seems to be about converting bytes to Unicode characters in a non-standard fashion. What you posted there is nothing to do with that at all, I don't think.
However don't take me to be an expert. I'm not. I know almost nothing about this. My only advantage over you is that I know the terminology better than you, which makes me believe you are doing something useless. That doesn't mean that there is nothing to be done, it only means that what you are doing probably isn't it. If cross-site scripting is a concern for you then you really ought to hire a security expert who knows how to deal with it. Don't imagine that you can spend a couple of days asking questions on a forum and become that expert.